* Timothy R. Chavez (chavezt gmail com) wrote:
> I think its reasonable enough to keep it virtual. The added benefit
> to doing it this way is we no longer need the mapnode data structure.
> We assume that all files and directories to be audited complete paths
> that already exist in the file system. Because we're storing
> information on the parent node, the file or directory to be audited
> does not have to exist, but when it does exist, it will get audited.
> If the parent directory is destroyed and then recreated, there's no
> way to for it to regain knowledge of what its suppose to be watching
> or if its on the path to something that needs to be watched. There
> are disadvantages to not supporting this, but for simplicities sake,
> someone could simply restart auditd or whatever to remap the changes.
Each process has a namespace (potentially private). So /etc/sensitive
may not be the same file in each namespace.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.orghttp://lsm.bkbits.net